IN THE CLAIMS: 

Please amend the claims to read as follows: 

1 . (Withdrawn) A method of detecting surveillance or attack activity over a 
computer communications network, comprising: 

receiving a plurality of messages from a data sensor located at a network audit 
point, each of said messages describing an event occurring on said communications 
network; 

classifying one or more of said events to produce one or more labeled alerts; 
combing in one or more said labeled alerts to produce a combined alert; and 
aggregating one or more said combined alerts to produce an aggregate alert 
notification. 

2. (Withdrawn) The method of claim 1 , further comprising filtering one or more 
said aggregate alert notifications by a cost-based model to produce a qualified alert. 

3. (Currently amended) A method of detecting surveillance activity over probes on 
a computer communications network, comprising: 

receiving a plurality of messages from a data sensor located at a network audit 
point, each of said messages describing an event occurring on said communications 
network; 

processing on e or mor e of said messages compri s ing on e or more of th e 
following: to form connection sessions by clustering packets a) exchanged between the 
two addresses within a specified time period where the addresses are not predetermined 
[[;]] or clust e ring pack e ts exchang e d b e tw e en two addr e ss e s b) having certain flags 
set[[;]] clustering packet s exchang e d betwe e n two addre s s e s having similar flags set; and 
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clust e ring pack e ts exchang e d betw e en two or c) having addresses having that are 
not predetermined but have similar characteristics; 
detecting a surveillance probe by: 

grouping connection sessions into a plurality of groups; 

scoring each group; and 

generating an alert for each group whose score is greater than an 
empirically derived threshold . 

4. (Canceled) 

5. (Currently amended) The method of claim [[4]] 3, further comprising th e control 
ef controlling false positive detections vs. false negative detections. 

6. (Currently amended) The method of claim [[4]] 3, further comprising g e n e ration 
ef- generating a profile of surveillance activity, said profile of surveillance activity 
comprising one or more of the following: 

a breakdown of probes; 

the a number of attackers; 

the a number of attacks per unit time; 

the a percentage of activity that constitutes malicious surveillance; 
the a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
the a temporal frequency trends of individual attackers. 

7. (Currently amended) The method of claim [[4]] 3, further comprising processing 
one or more said detected surveillance probes to produce a detected surveillance scan, 
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said processing of one or more said detected surveillance probes to produce a detected 
surveillance scan comprising one or more of the following: 

modeling and detecting surveillance scans as a series of surveillance probes that 
originate from one or more source addresses and that are sent to one or more destination 
addresses; 

modeling and detecting surveillance scans performed by a particular source 
address by identifying a particular source address that sends more than a specified 
number of probes; 

modeling and detecting surveillance scans performed by a particular source 
address by identifying a source address that generates more than a specified number of 
probes within a specified time period; 

modeling and surv e illanc e detecting surveillance scans performed by one source 
IP address by identifying a source address that sends probes to more than a specified 
number of destinations; 

modeling and detecting surveillance scans performed by a particular source 
address by identifying a source address that sends probes to a specified set of 
destinations; 

modeling and detecting surveillance scans performed by a particular source 
address by identifying a source address that sends probes to specified ports; and 

modeling and detecting surveillance scans performed by a particular source 
address by identifying a source address that sends probes to a number of destinations in 
excess of a specified limit within a specified time period[[;]] 
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limiting th e numb e r of d e t e ct e d scans by r e porting only sourc e addr e ss e s that 
p e rform mor e than a s p e cified numb e r of probes within a specifi e d tim e ; and 

limiting th e number of d e t e ct e d s cans by reporting only sourc e address groups 
that p e rform mor e than a s pecifi e d numb e r of probe s within a sp e cifi e d tim e. 

8. (Currently amended) The method of claim 7, further comprising th e control of 
controlling false positive detections vs. false negative detections. 

9. (Currently amended) The method of claim 7, further comprising g e n e ration of 
generating a profile of surveillance activity, said profile of surveillance activity 
comprising one or more of the following: 

a breakdown of probes; 

a breakdown of scans; 

the a number of attackers; 

the a number of attacks per unit time; 

the a percentage of activity that constitutes malicious surveillance; 
the a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
the a temporal frequency trends of individual attackers. 

1 0. (Original) The method of claim 7, further comprising processing one or more 
said detected surveillance scans to detect a group of scanning hosts, said processing of 
one or more said detected surveillance scans to detect a group of scanning hosts 
comprising: 

modeling and detecting scans distributed across a series of source addresses by 
grouping addresses, said grouping of addresses being performed by subtracting one 
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address from another and placing the two addresses in the same group if the difference is 
less than a specified amount. 

1 1 . (Currently amended) The method of claim 10, further comprising th e control of 
controllinR false positive detections vs. false negative detections. 

12. (Currently amended) The method of claim 10, further comprising gen e ration of 
generating; a profile of surveillance activity, said profile of surveillance activity 
comprising one or more of the following: 

a breakdown of probes; 

a breakdown of scans; 

the a number of attackers; 

the a number of attacks per unit time; 

the a percentage of activity that constitutes malicious surveillance; 
the a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
the a temporal frequency trends of individual attackers. 

13. (Withdrawn) A method of detecting surveillance or attack activity over a 
communication network comprising: 

combining alerts to such surveillance or attack activity generated by an intrusion 
detection system with alerts to such surveillance or attack activity generated by an 
anomaly detection system to produce a combined alert; 

prioritizing said combined alert to produce a prioritized alert; 

presenting said prioritized alert to a security analyst. 
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14. (Withdrawn) A computer program product for use in conjunction with a 
computer system to classify and analyze surveillance or attack activity over a 
communications network, the computer program product comprising a computer readable 
storage medium and a computer program mechanism embedded therein, the computer 
program mechanism comprising: 

an event data storage buffer that receives and stores incoming event data; 

an initial event evaluator that receives event data from said event data storage 
buffer and generates raw alerts; 

a raw alert data storage buffer that receives and stores said raw alerts; 

a post-processing alert evaluator that receives said stored raw alerts and produces 
processed alerts; 

a plurality of alert filtering modules that receive said processed alerts and produce 
user alerts; 

a user alert data buffer that receives and stores said user alerts; 

a plurality of production models for said initial event evaluator; 

a plurality of production models for said alert filtering modules; 

storage for said production models for said initial event evaluator and for said 
production models for said alert filtering modules; and 

an automated job submission manager that orchestrates the operations of said 
initial event evaluator and of said post-processing alert evaluator. 

15. (Withdrawn) A computer system for formatting, classifying and analyzing 
surveillance or attacks over a communications network, the computer system comprising: 

a central processing unit; 
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a memory, coupled to the central processing unit, the memory storing: 

outputs of sensors connected to the communications network; 

outputs of an initial event evaluator; 

outputs of a post-processing alert evaluator; 

outputs of a plurality of alert filtering modules; 

a plurality of production models for said initial event evaluator; and 

a plurality of production modes for said alert filtering modules. 

16. (Withdrawn) A method of processing computer network surveillance alerts, 
comprising: 

receiving alerts from an intrusion detection system; 
receiving alerts from an anomaly detection system; 
receiving alerts from a scan/probe detection system; 

aggregating one or more of said alerts from said intrusion detection system , said 
anomaly detection system, and said scan/probe detection system; and 
generating an aggregated alert. 

17. (Withdrawn) A user display for profiling surveillance activity over a computer 
network, said user display comprising: a display of a numerical estimate of the severity 
of an attack and one or more of the following: 

a list of the highest priority threats; 
a list of the highest priority targets; 
detailed threat information; 
detailed target information; 
the country of origin of an attack; 

- 14- 

1 -NY/2202743.1 



the country of origin of a target; and 
a plot of attack severity versus time. 

1 8. (Withdrawn) A method of detecting surveillance or attack activity over a 
computer communications network, comprising: 

modeling network connections; 

detecting said network connections that are likely surveillance probes originating 
from malicious sources; 

detecting scanning activity by grouping source addresses that are logically close 
to one another; and 

recognizing certain combinations of said likely surveillance probes. 

19. (New) The method of claim 3 wherein the step of processing said connection 
sessions to detect a surveillance probe further comprises at least one of the following 
steps: 

identifying packets that have a particular arrangement of flags set; 
identifying packets that have all flags set; 

identifying packets that have payloads smaller than a predetermined size; 
identifying packets to which there is no response. 

20. (New) The method of claim 3 wherein the step of processing said connection 
sessions to detect a surveillance probe further comprises at least one of the following 
steps: 

identifying detected connections with fewer packets than a predetermined limit; 
identifying detected connections with packets that have traveled only from a 
source to a destination; 
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identifying detected connections with packets that have traveled only from the 
destination to the source; and 

identifying detected connections with packets whose payloads are smaller than a 
predetermined limit. 

21 . (New) The method of claim 7 further comprising the steps of: 

limiting the number of detected scans by reporting only source addresses that 
perform more than a specified number of probes within a specified time; and 

limiting the number of detected scans by reporting only source address groups 
that perform more than a specified number of probes within a specified time. 
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